Things that may (not) working better after migration from UTM to XGS

My personal experience so far (current firmware version):

- on every of my 2 factory-new XGS3300 -> setup assistant had a loop and I could not finish the setup without a factory reset (not a good first impression ;-)
- planned firmware auto-updates like on UTM are not possible anymore without register and using central service
- poor mail logging on GUI: pretty useless on XGS compared to UTM -> you have to use the console to see the full logs (and mails that are not even comming to the MTA)
- on UTM you saw where and if any object are in use -> not anymore on XGS
- only single adresses can added in mailing-exceptions (networks or hostgroups not possible)
- self-sign windows certificates can not added as trusted certificate (firewall does not trust any cert that is no CA or issued by a CA)
- it is not possible to deactivate an interface (pre-configure like on UTM with creating deactivated interfaces not possible)
- you can not add an LAG interface without giving an IP or activate DHCP on it
- no AD user pre-cache: AD users are only on the firewall if (and only if) the users are login to the userportal first (as admin you can do nothing anymore, even not able to get an SSL VPN config file for the user)
- AD users can not migrated from UTM (including OTP hashes) -> all AD users can create themselve again in user-portal including OTP
- AD groups can not used for admin groups / users on firewall
- it is not possible to switch a firewall admin user back to a normal user (you have to delete and re-create the user)
- no notification if your RED is alive again possible (if your RED goes down, maybe its up again, maybe not...)
- to get your RED running on new firewall you have to restart the device for new provisioning (maybe a problem on remote-sites without IT)
- the connect provisioning feature is only working if you make the userportal reachable (maybe even for WAN if users only working @home)
- provisioning is not working for OTP users who are not creating themselve in user-portal before (so any user with OTP needs to login 2x to get a config via provisioning)
- the connect provisioning will give any user with OTP an connection error (the provisioned config is connecting right after the provisioning login of the user -> connection failed because OTP code can used only 1x)

A lot of things are of course better compared to UTM -> can tell you any sophos sales guy in his sleep.



.
[bearbeitet von: Quallensaft um 3:34 PM (GMT -7) am 14 Aug 2023]
  • We do a lot for non-profits and charities, so we already run a lot of open source. The challenge is mainly on the management side, technically all solutions (firewall, ips, proxy, reverse proxy, mail services, etc) are well established and stable, but without a good GUI it is very difficult to manage it all efficiently.

    It is the biggest issue I have with the XG, apart from the lack of some features: the architecture is so illogical (no central object management, seperate ipv4 and ipv6 objects, etc) that the management cost triples. Not to mention the diffence in licencing costs between the XG and the UTM.

  • We run a postfix / dovecot / roundcube / sogo / amavis / spamassasin / clamav HA cluster for email, have done so for years. With a database backend, so it wasn't too complex to build a web interface for that, which we use to manage domains, mailboxes, quota's, white and blacklists, etc.

  • All very true.  It has saddened me I moved trusting that the platform I have loved and used for over a decade needed new hardware and it seemed like a great idea to move to the next gen platform. it does everything and more that the UTM does!  said sales.  

    NO It Does not!

    I wish I had seen this a year ago!  I would likely be on palo altos now.

  • - on every of my 2 factory-new XGS3300 -> setup assistant had a loop and I could not finish the setup without a factory reset (not a good first impression ;-)

    That is fixed by the last Version.


    - planned firmware auto-updates like on UTM are not possible anymore without register and using central service

    Central Firewall Management does this for you (free Management and gives you the advantages of a management platform - like reporting, Alert management etc - For free). 


    - poor mail logging on GUI: pretty useless on XGS compared to UTM -> you have to use the console to see the full logs (and mails that are not even comming to the MTA)

    I would recommend to take a look at Central Email instead, if you want to do Email Security. 


    - on UTM you saw where and if any object are in use -> not anymore on XGS

    Implemented in V20.0

    - only single adresses can added in mailing-exceptions (networks or hostgroups not possible)

    Would be possible in Central Email.

    - self-sign windows certificates can not added as trusted certificate (firewall does not trust any cert that is no CA or issued by a CA)

    You can add the certificate as an CA as well, so it would be trusted by the firewall. 


    - it is not possible to deactivate an interface (pre-configure like on UTM with creating deactivated interfaces not possible)

    Implemented in V20.0.


    - you can not add an LAG interface without giving an IP or activate DHCP on it

    Correct - You need VLAN1 (untagged) in SFOS for LAG. Most customers have something in place but Dummy IP would also be possible, if needed. 


    - no AD user pre-cache: AD users are only on the firewall if (and only if) the users are login to the userportal first (as admin you can do nothing anymore, even not able to get an SSL VPN config file for the user)
    - AD users can not migrated from UTM (including OTP hashes) -> all AD users can create themselve again in user-portal including OTP
    - AD groups can not used for admin groups / users on firewall
    - it is not possible to switch a firewall admin user back to a normal user (you have to delete and re-create the user)
    - the connect provisioning feature is only working if you make the userportal reachable (maybe even for WAN if users only working @home)
    provisioning is not working for OTP users who are not creating themselve in user-portal before (so any user with OTP needs to login 2x to get a config via provisioning)
    the connect provisioning will give any user with OTP an connection error (the provisioned config is connecting right after the provisioning login of the user -> connection failed because OTP code can used only 1x)

    The entire Section would be addressable with Azure AD + ZTNA, if you want to take it to another level. 
    By using Azure AD, you would outsource the work of handling OTP and the user management by doing it in Microsoft Azure and not on the firewall anymore. 
    ZTNA would leverage this for you and simply give you the connection from User A to application B using the Firewall as a Gateway. True SSO without the implication of maintaining the configurations etc. 

     

    As a Sophos consultant - I am addressing all those points, you raising, because they come up by migrating a UTM to SFOS like that. We are using Azure AD and Central for those features and not doing it on the firewall. 
    That is just how i approach those requests. 

    __________________________________________________________________________________________________________________

  • "... Central Firewall Management ..." , "... Central Email...".

    Which security company thought it would be a good idea if customers bought their products to secure their IT environment, and then give all control and access away to some cloud service? We don't use other cloud services for the same reason.

    Are you out of your mind? Not in a million years.

    Fact remains, Sophos made an enormous ***-up by aquiring Cyberroam and dumping their own products in exchange for the inferieur Cyberroam firewall. Now, after 20 !!! major releases, it still lags behind the UTM, even considering the fact Sophos hasn't spend any serious time on the UTM in recent years.

  • Could you DM me your Account Details? I assume, the SE of your region would like to discuss your situation in more detail. 

    __________________________________________________________________________________________________________________

  •  

    Very true and very well stated. Coming from someone with a ton of knowledge ;-)

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • Pretty pointless, no SE can reverse the decision to drop the UTM, the decision to buy Cyberroam, or magically fix the many shortcomings of its firewall compared to the UTM.

    We've been UTM users and UTM managers since Astaro times. The decision, forced upon us, to drop the UTM will cost us and our managed service customers a lot of money, not only the migration to another platform (which won't be Sophos), but also on additional systems to cover for potentially missing functionality.

    Also, don't forget the costs of redesigning the network side of things. For example, the way the reverse proxy works in the UTM is different from a stand-alone RP. Think about different IP's, no more automatic firewall rules, different traffic flows and load on firewall interfaces, changes to backend applications, etc. Moving away from the UTM is going to be costly.

  • Thanks for the feedback. I can only comment on the DACH region, which is highly adapting cloud based right now. 

    __________________________________________________________________________________________________________________

  • 100 million lemmings can't be wrong, right? ;-)

    I know every Tom, *** and Harry is adopting cloud. That doesn't mean it is better, cheaper or safer.

    Cloud could be a solution if you have hugely varying loads, and you need to be able to up- or downscale quickly. Or if you as a company don't have or want the skills to run a datacenter environment (oursourcing non-core competencies, another fad).

    If someone manages to hack their way into Sophos' cloud services, all their clients could be compromised. Sophos itself might be able to survive that, but I'm pretty sure we would be out of business.